Singapore Airlines Software Bug Results in Breach

Singapore Airlines (SIA) has revealed that a software bug exposed the personal data of 285 customers, including seven with passport details, after a change was instituted on their website over the weekend. A software glitch reportedly caused a data breach of its frequent flyer program, compromising personal information that includes passport and flight details of its members.

According to SIA, who spoke to Channel NewsAsia, the incident occurred between 2:00am and 12:15pm on Friday. "We have been made aware of a number of cases in which a customer logged in to his or her KrisFlyer account, under certain specific conditions, may have been able to see selective details of another customer.”

The incident reportedly came to light after a KrisFlyer member did just that. In a Facebook post, Tricia Leo wrote that she was able to see someone else’s information when she logged in to her own account.

Software bugs can often lead to these types of breaches of end users' data, and according to Matt Rose, global director of application security strategy, Checkmarx, these nearly daily occurrences are the result of increased complexities in modern web application and software design.

“Most security programs don’t take a holistic approach to managing all the points of software exposure,” Rose said. “In the case of Singapore Airlines, poor software security testing practices on a software update has led to the privacy invasion of nearly 300 customers, exposing extremely sensitive information like passport numbers. Unfortunately, this isn't the first we've heard of an airline breach and it won't be the last, which is why software must become a priority in the security program of airline companies worldwide."

However, there are ways to mitigate the damage from exposed data that result from software glitches and data breaches. “Institute new technologies that include passive biometrics and behavioral analytics," said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

“Leveraging these technologies will allow companies to correctly identify customers by their behavior online rather than by credentials that have been stolen. It is an approach that allows companies to continue rewarding customers while cutting stolen credentials out of the equation even if a breach of personal data occurs.”